permit KRLs that revoke certificates by serial number or
 key ID without scoping to a particular CA; ok markus@